Closed SeriousHoax closed 2 years ago
I'm not very familiar with this extension, but browsing the source code it looks like it works by changing some of the page CSS, specifically the background colors on elements. What I think is happening is that the new CSS injected by the plugin is disrupting the CSS used on the test page, and as such it's showing as not vulnerable. If that's the case, it's actually true, and CSS injection did not occur. This won't disrupt all CSS exfil attack vectors, but it looks like it (unintentionally) does disrupt some of the vectors.
In Firefox, when the extension https://addons.mozilla.org/en-US/firefox/addon/dark-background-light-text/ is installed, the tester page shows that your browser is not vulnerable and, when disabled, shows vulnerable. Is this bug of the test method or the said extension is somehow unintentionally protecting from the CSS Exfil Vulnerability?
Here, "Dark Background and Light Text" is enabled,
Here, "Dark Background and Light Text" is disabled,
Note: In both cases, your extension "CSS-Exfil-Protection" is not installed in the browser. Github of Dark Background and Light Text: https://github.com/m-khvoinitsky/dark-background-light-text-extension